Authentication Methods

Endpoint Encryption administrators and users have several
authentication methods to log on to Endpoint Encryption devices. The
methods available are determined by the PolicyServer policy configuration.

Note:

You must use PolicyServer MMC to configure the authentication methods available to
Endpoint Encryption users. It is not possible to
use Control Manager to configure the allowed
authentication methods. However, you can configure Control Manager for domain authentication.

ColorCode

ColorCode™ is a unique authentication method designed for quick
access and easy memorization. Rather than alphanumeric characters or symbols for the
password, ColorCode authentication consists of a user-created color sequence (example:
red, red, blue, yellow, blue, green).

Figure 1. ColorCode Authentication Screen

Domain Authentication

Endpoint Encryption integrates with Active Directory using
LDAP configured in PolicyServer. Endpoint Encryption domain
authentication allows Endpoint Encryption users to use
single sign-on (SSO) between the operating system and the Endpoint Encryption agent. For example, Endpoint Encryption users with domain authentication must
only provide their credentials once to authenticate to the Full Disk Encryption preboot,
log on to Windows, and access the files protected by File Encryption.

For seamless Active Directory integration,
make sure that the following requirements are met:

PolicyServer has joined the domain.

All Endpoint Encryption devices are in the same Active Directory and domain as PolicyServer.

Fixed Password

Fixed password authentication is the most common authentication
method. The fixed password is created by the user and can be almost any string of
numbers, characters, or symbols. You can place restrictions on fixed
passwords to ensure that they are not easily compromised.

PIN

A Personal Identification Number (PIN) is common
identification method requiring a unique sequences numbers. The PIN is created by the
user and can be almost anything. Similar to fixed passwords, you may place restrictions
on the PIN combination.

Remote Help

Remote Help allows Group or Enterprise
Authenticators to assist Endpoint Encryption users who are
locked out and cannot log on to Endpoint Encryption devices
after too many unsuccessful log on attempts, or when the period between the last
PolicyServer synchronization has been too long.

Note:

Remote Help authentication is triggered by Endpoint Encryption device policy rules. Remote Help
policy rules are configurable in both PolicyServer MMC and Control Manager.

Self Help

Self Help
authentication allows Endpoint Encryption users who have
forgotten the credentials to answer security questions and log on to Endpoint Encryption devices without getting Technical
Support assistance. Self Help requires the Endpoint Encryption user to respond with answers to
predefined personal challenge questions. Self Help can replace fixed password or other
authentication methods.

Consider the following when choosing your authentication method or when
configuring Self Help:

Self Help is not available for Administrator and Authenticator
accounts.

Self Help is not available for accounts that use domain
authentication. PolicyServer is unable to change or retrieve previous domain
passwords.

Self Help has a maximum of six questions for each user
account. Users may be unable to log on using Self Help if more than six
questions are configured.

Self Help is only configurable with PolicyServer MMC.

Smart Card

Smart card authentication requires both a PIN and a
physical token to confirm the user identity. Smart card certificates are associated with
the user account and the user's assigned group. Once registered, the user can use smart
card authentication from any Endpoint Encryption device in
that group. Users are free to use any Endpoint Encryption
device in their group and do not need to ask for another one-time password.

To use smart card authentication, make sure that the following requirements are
met:

The smart card reader is connected to the endpoint and the
smart card is inserted into the smart card reader.

ActivClient 6.2 with all service packs and updates installed.

Note:

ActivClient 7.0 and later is not supported.

Specify the smart card PIN in the password field.

Warning:

Failure to provide a correct password sends a password
error and may result in locking the smart card.

Note:

Smart card authentication is only configurable with PolicyServer MMC.

Switching the authentication method from smart card to domain authentication may cause issues for domain users added through ADSync or Active Directory User Import. To resolve this issue, remove the domain user account from the enterprise, and then restart the PolicyServer services to start synchronization with the AD server. The synchronization process adds the user back with domain authentication as the authentication method. Alternatively, you can also add the domain user account back via Active Directory User Import.